| 1 |
On Wed, Jan 17, 2018 at 10:41:21AM -0500, Michael Orlitzky wrote: |
| 2 |
> If I want to create /run/foo and /run/foo/bar, both owned by the "foo" |
| 3 |
> user, how would I do it using newpath? |
| 4 |
> |
| 5 |
> 1. I could create /run/foo with owner "foo", and then create |
| 6 |
> /run/foo/bar with owner "foo". That can be done without modifying |
| 7 |
> existing permissions, but it's not safe, because you wind up working |
| 8 |
> as root in the directory /run/foo which is owned by the non-root |
| 9 |
> "foo" user. If newpath disallows that unsafe operation, this approach |
| 10 |
> is out. |
| 11 |
> |
| 12 |
> 2. I could create /run/foo as root:root, and then create /run/foo/bar as |
| 13 |
> "foo". That much is safe, but then what do I do about /run/foo? It |
| 14 |
> already exists, so if newpath will refuse to modify existing paths, |
| 15 |
> then this approach is out too. |
| 16 |
> |
| 17 |
> That leaves... |
| 18 |
> |
| 19 |
> 3. I can create /run/foo with owner "foo", and then setuid to the foo |
| 20 |
> user. Now, *as the foo user* I can create /run/foo/bar, which will be |
| 21 |
> owned by "foo". There's no risk in doing so, because the "foo" user |
| 22 |
> can only trick himself. Moreover, the directory is writable only by |
| 23 |
> root and the OpenRC user (currently: foo) at that point, so the extra |
| 24 |
> safety precautions don't get in the way. |
| 25 |
|
| 26 |
Everything I'm saying here assumes that /run/foo and /run/foo/bar do not |
| 27 |
exist. If they do, both approaches 1 and 3 will do nothing other than |
| 28 |
warn if the permissions or ownership has changed. |
| 29 |
|
| 30 |
In both approaches 1 and 3, the first step will be to create the |
| 31 |
directory /run/foo then optionally adjust permissions on it. At that |
| 32 |
point newpath will exit. |
| 33 |
|
| 34 |
When the second invocation of newpath starts, we know /run/foo/bar |
| 35 |
does not exist, and creating /run/foo/bar will fail if /run/foo doesn't |
| 36 |
exist. |
| 37 |
|
| 38 |
Since that's true, I don't see what the difference is |
| 39 |
between approaches 1 and 3 or what makes approach 1 so unsafe. Call me |
| 40 |
dense if you must, lol, I'm just not getting it. At this point we know |
| 41 |
that /run/foo is owned by foo, and I've never heard that root working in |
| 42 |
a directory it doesn't own isn't safe. |
| 43 |
|
| 44 |
William |
Archives